Clean up the setfcontext_compile atomic patch

- Make sure label_file code always sets errno

.gitignore

@@ -193,3 +193,4 @@ libselinux-2.0.96.tgz
 /libselinux-2.1.9.tgz
 /libselinux-2.1.10.tgz
 /libselinux-2.1.11.tgz
+/libselinux-2.1.12.tgz

libselinux-f19.patch

@@ -0,0 +1,476 @@
+diff -up libselinux-2.1.12/src/avc_internal.c.f19 libselinux-2.1.12/src/avc_internal.c
+--- libselinux-2.1.12/src/avc_internal.c.f19	2012-09-13 13:26:50.000000000 -0400
++++ libselinux-2.1.12/src/avc_internal.c	2013-03-06 13:55:15.411795519 -0500
+@@ -60,13 +60,12 @@ int avc_netlink_open(int blocking)
+ 	int len, rc = 0;
+ 	struct sockaddr_nl addr;
+ 
+-	fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_SELINUX);
++	fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX);
+ 	if (fd < 0) {
+ 		rc = fd;
+ 		goto out;
+ 	}
+ 	
+-	fcntl(fd, F_SETFD, FD_CLOEXEC);
+ 	if (!blocking && fcntl(fd, F_SETFL, O_NONBLOCK)) {
+ 		close(fd);
+ 		fd = -1;
+diff -up libselinux-2.1.12/src/fgetfilecon.c.f19 libselinux-2.1.12/src/fgetfilecon.c
+--- libselinux-2.1.12/src/fgetfilecon.c.f19	2012-09-13 13:26:50.000000000 -0400
++++ libselinux-2.1.12/src/fgetfilecon.c	2013-03-06 13:55:15.412795523 -0500
+@@ -39,7 +39,7 @@ int fgetfilecon_raw(int fd, security_con
+       out:
+ 	if (ret == 0) {
+ 		/* Re-map empty attribute values to errors. */
+-		errno = EOPNOTSUPP;
++		errno = ENOTSUP;
+ 		ret = -1;
+ 	}
+ 	if (ret < 0)
+diff -up libselinux-2.1.12/src/getfilecon.c.f19 libselinux-2.1.12/src/getfilecon.c
+--- libselinux-2.1.12/src/getfilecon.c.f19	2012-09-13 13:26:50.000000000 -0400
++++ libselinux-2.1.12/src/getfilecon.c	2013-03-06 13:55:15.412795523 -0500
+@@ -39,7 +39,7 @@ int getfilecon_raw(const char *path, sec
+       out:
+ 	if (ret == 0) {
+ 		/* Re-map empty attribute values to errors. */
+-		errno = EOPNOTSUPP;
++		errno = ENOTSUP;
+ 		ret = -1;
+ 	}
+ 	if (ret < 0)
+diff -up libselinux-2.1.12/src/label_file.c.f19 libselinux-2.1.12/src/label_file.c
+--- libselinux-2.1.12/src/label_file.c.f19	2013-03-06 13:55:15.394795448 -0500
++++ libselinux-2.1.12/src/label_file.c	2013-03-08 12:37:41.305333387 -0500
+@@ -245,6 +245,7 @@ static int load_mmap(struct selabel_hand
+ 	char *addr;
+ 	size_t len;
+ 	int stem_map_len, *stem_map;
++	struct mmap_area *mmap_area;
+ 
+ 	uint32_t *magic;
+ 	uint32_t *section_len;
+@@ -255,7 +256,7 @@ static int load_mmap(struct selabel_hand
+ 		return -1;
+ 
+ 	mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC);
+-	if (!mmapfd)
++	if (mmapfd < 0)
+ 		return -1;
+ 
+ 	rc = fstat(mmapfd, &mmap_stat);
+@@ -281,13 +282,26 @@ static int load_mmap(struct selabel_hand
+ 	len += (sysconf(_SC_PAGE_SIZE) - 1);
+ 	len &= ~(sysconf(_SC_PAGE_SIZE) - 1);
+ 
++	mmap_area = malloc(sizeof(*mmap_area));
++	if (!mmap_area) {
++		close(mmapfd);
++		return -1;
++	}
++
+ 	addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0);
+ 	close(mmapfd);
+ 	if (addr == MAP_FAILED) {
++		free(mmap_area);
+ 		perror("mmap");
+ 		return -1;
+ 	}
+ 
++	/* save where we mmap'd the file to cleanup on close() */
++	mmap_area->addr = addr;
++	mmap_area->len = len;
++	mmap_area->next = data->mmap_areas;
++	data->mmap_areas = mmap_area;
++
+ 	/* check if this looks like an fcontext file */
+ 	magic = (uint32_t *)addr;
+ 	if (*magic != SELINUX_MAGIC_COMPILED_FCONTEXT)
+@@ -330,8 +344,10 @@ static int load_mmap(struct selabel_hand
+ 		newid = find_stem(data, buf, stem_len);
+ 		if (newid < 0) {
+ 			newid = store_stem(data, buf, stem_len);
+-			if (newid < 0)
+-				return newid;
++			if (newid < 0) {
++				rc = newid;
++				goto err;
++			}
+ 			data->stem_arr[newid].from_mmap = 1;
+ 		}
+ 		stem_map[i] = newid;
+@@ -347,7 +363,7 @@ static int load_mmap(struct selabel_hand
+ 
+ 		rc = grow_specs(data);
+ 		if (rc < 0)
+-			return rc;
++			goto err;
+ 
+ 		spec = &data->spec_arr[data->nspec];
+ 		spec->from_mmap = 1;
+@@ -355,9 +371,11 @@ static int load_mmap(struct selabel_hand
+ 
+ 		plen = (uint32_t *)addr;
+ 		addr += sizeof(uint32_t);
++		rc = -1;
+ 		spec->lr.ctx_raw = strdup((char *)addr);
+ 		if (!spec->lr.ctx_raw)
+-			return -1;
++			goto err;
++
+ 		addr += *plen;
+ 
+ 		plen = (uint32_t *)addr;
+@@ -370,12 +388,10 @@ static int load_mmap(struct selabel_hand
+ 
+ 		/* map the stem id from the mmap file to the data->stem_arr */
+ 		stem_id = *(int32_t *)addr;
+-		if (stem_id == -1) {
++		if (stem_id == -1 || stem_id >= stem_map_len)
+ 			spec->stem_id = -1;
+-		} else {
+-			assert(stem_id <= stem_map_len);
++		else
+ 			spec->stem_id = stem_map[stem_id];
+-		}
+ 		addr += sizeof(int32_t);
+ 
+ 		/* retrieve the hasMetaChars bit */
+@@ -395,11 +411,12 @@ static int load_mmap(struct selabel_hand
+ 
+ 		data->nspec++;
+ 	}
+-
++	/* win */
++	rc = 0;
++err:
+ 	free(stem_map);
+ 
+-	/* win */
+-	return 0;
++	return rc;
+ }
+ 
+ static int process_file(const char *path, const char *suffix, struct selabel_handle *rec, const char *prefix)
+@@ -529,18 +546,19 @@ finish:
+ static void closef(struct selabel_handle *rec)
+ {
+ 	struct saved_data *data = (struct saved_data *)rec->data;
++	struct mmap_area *area, *last_area;
+ 	struct spec *spec;
+ 	struct stem *stem;
+ 	unsigned int i;
+ 
+ 	for (i = 0; i < data->nspec; i++) {
+ 		spec = &data->spec_arr[i];
++		free(spec->lr.ctx_trans);
++		free(spec->lr.ctx_raw);
+ 		if (spec->from_mmap)
+ 			continue;
+ 		free(spec->regex_str);
+ 		free(spec->type_str);
+-		free(spec->lr.ctx_raw);
+-		free(spec->lr.ctx_trans);
+ 		if (spec->regcomp) {
+ 			pcre_free(spec->regex);
+ 			pcre_free_study(spec->sd);
+@@ -558,7 +576,14 @@ static void closef(struct selabel_handle
+ 		free(data->spec_arr);
+ 	if (data->stem_arr)
+ 		free(data->stem_arr);
+-	
++
++	area = data->mmap_areas;
++	while (area) {
++		munmap(area->addr, area->len);
++		last_area = area;
++		area = area->next;
++		free(last_area);
++	}
+ 	free(data);
+ }
+ 
+@@ -624,6 +649,8 @@ static struct selabel_lookup_rec *lookup
+ 				break;
+ 			} else if (rc == PCRE_ERROR_NOMATCH)
+ 				continue;
++
++			errno = ENOENT;
+ 			/* else it's an error */
+ 			goto finish;
+ 		}
+@@ -635,6 +662,7 @@ static struct selabel_lookup_rec *lookup
+ 		goto finish;
+ 	}
+ 
++	errno = 0;
+ 	ret = &spec_arr[i].lr;
+ 
+ finish:
+diff -up libselinux-2.1.12/src/label_file.h.f19 libselinux-2.1.12/src/label_file.h
+--- libselinux-2.1.12/src/label_file.h.f19	2013-03-06 13:55:15.395795452 -0500
++++ libselinux-2.1.12/src/label_file.h	2013-03-06 13:55:15.414795531 -0500
+@@ -33,6 +33,13 @@ struct stem {
+ 	char from_mmap;
+ };
+ 
++/* Where we map the file in during selabel_open() */
++struct mmap_area {
++	void *addr;
++	size_t len;
++	struct mmap_area *next;
++};
++
+ /* Our stored configuration */
+ struct saved_data {
+ 	/*
+@@ -49,6 +56,7 @@ struct saved_data {
+ 	struct stem *stem_arr;
+ 	int num_stems;
+ 	int alloc_stems;
++	struct mmap_area *mmap_areas;
+ };
+ 
+ static inline pcre_extra *get_pcre_extra(struct spec *spec)
+diff -up libselinux-2.1.12/src/lgetfilecon.c.f19 libselinux-2.1.12/src/lgetfilecon.c
+--- libselinux-2.1.12/src/lgetfilecon.c.f19	2012-09-13 13:26:50.000000000 -0400
++++ libselinux-2.1.12/src/lgetfilecon.c	2013-03-06 13:55:15.415795536 -0500
+@@ -39,7 +39,7 @@ int lgetfilecon_raw(const char *path, se
+       out:
+ 	if (ret == 0) {
+ 		/* Re-map empty attribute values to errors. */
+-		errno = EOPNOTSUPP;
++		errno = ENOTSUP;
+ 		ret = -1;
+ 	}
+ 	if (ret < 0)
+diff -up libselinux-2.1.12/src/mapping.c.f19 libselinux-2.1.12/src/mapping.c
+--- libselinux-2.1.12/src/mapping.c.f19	2012-09-13 13:26:50.000000000 -0400
++++ libselinux-2.1.12/src/mapping.c	2013-03-06 13:55:15.415795536 -0500
+@@ -66,7 +66,7 @@ selinux_set_mapping(struct security_clas
+ 			goto err2;
+ 
+ 		k = 0;
+-		while (p_in->perms && p_in->perms[k]) {
++		while (p_in->perms[k]) {
+ 			/* An empty permission string skips ahead */
+ 			if (!*p_in->perms[k]) {
+ 				k++;
+diff -up libselinux-2.1.12/utils/sefcontext_compile.c.f19 libselinux-2.1.12/utils/sefcontext_compile.c
+--- libselinux-2.1.12/utils/sefcontext_compile.c.f19	2013-03-06 13:59:26.567841949 -0500
++++ libselinux-2.1.12/utils/sefcontext_compile.c	2013-03-08 12:24:54.014002976 -0500
+@@ -145,7 +145,7 @@ static int process_file(struct saved_dat
+  *	u32  - data length of the pcre regex study daya
+  *	char - a buffer holding the raw pcre regex study data
+  */
+-static int write_binary_file(struct saved_data *data, char *filename)
++static int write_binary_file(struct saved_data *data, int fd)
+ {
+ 	struct spec *specs = data->spec_arr;
+ 	FILE *bin_file;
+@@ -153,8 +153,9 @@ static int write_binary_file(struct save
+ 	uint32_t magic = SELINUX_MAGIC_COMPILED_FCONTEXT;
+ 	uint32_t section_len;
+ 	uint32_t i;
++	int rc;
+ 
+-	bin_file = fopen(filename, "w");
++	bin_file = fdopen(fd, "w");
+ 	if (!bin_file) {
+ 		perror("fopen output_file");
+ 		exit(EXIT_FAILURE);
+@@ -163,19 +164,19 @@ static int write_binary_file(struct save
+ 	/* write some magic number */
+ 	len = fwrite(&magic, sizeof(uint32_t), 1, bin_file);
+ 	if (len != 1)
+-		return -1;
++		goto err;
+ 
+ 	/* write the version */
+ 	section_len = SELINUX_COMPILED_FCONTEXT_MAX_VERS;
+ 	len = fwrite(&section_len, sizeof(uint32_t), 1, bin_file);
+ 	if (len != 1)
+-		return -1;
++		goto err;
+ 
+ 	/* write the number of stems coming */
+ 	section_len = data->num_stems;
+ 	len = fwrite(&section_len, sizeof(uint32_t), 1, bin_file);
+ 	if (len != 1)
+-		return -1;
++		goto err;
+ 
+ 	for (i = 0; i < section_len; i++) {
+ 		char *stem = data->stem_arr[i].buf;
+@@ -184,20 +185,20 @@ static int write_binary_file(struct save
+ 		/* write the strlen (aka no nul) */
+ 		len = fwrite(&stem_len, sizeof(uint32_t), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* include the nul in the file */
+ 		stem_len += 1;
+ 		len = fwrite(stem, sizeof(char), stem_len, bin_file);
+ 		if (len != stem_len)
+-			return -1;
++			goto err;
+ 	}
+ 
+ 	/* write the number of regexes coming */
+ 	section_len = data->nspec;
+ 	len = fwrite(&section_len, sizeof(uint32_t), 1, bin_file);
+ 	if (len != 1)
+-		return -1;
++		goto err;
+ 
+ 	for (i = 0; i < section_len; i++) {
+ 		char *context = specs[i].lr.ctx_raw;
+@@ -208,82 +209,85 @@ static int write_binary_file(struct save
+ 		pcre_extra *sd = get_pcre_extra(&specs[i]);
+ 		uint32_t to_write;
+ 		size_t size;
+-		int rc;
+ 
+ 		/* length of the context string (including nul) */
+ 		to_write = strlen(context) + 1;
+ 		len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* original context strin (including nul) */
+ 		len = fwrite(context, sizeof(char), to_write, bin_file);
+ 		if (len != to_write)
+-			return -1;
++			goto err;
+ 
+ 		/* length of the original regex string (including nul) */
+ 		to_write = strlen(regex_str) + 1;
+ 		len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* original regex string */
+ 		len = fwrite(regex_str, sizeof(char), to_write, bin_file);
+ 		if (len != to_write)
+-			return -1;
++			goto err;
+ 
+ 		/* binary F_MODE bits */
+ 		len = fwrite(&mode, sizeof(mode), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* stem for this regex (could be -1) */
+ 		len = fwrite(&stem_id, sizeof(stem_id), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* does this spec have a metaChar? */
+ 		to_write = specs[i].hasMetaChars;
+ 		len = fwrite(&to_write, sizeof(to_write), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* determine the size of the pcre data in bytes */
+ 		rc = pcre_fullinfo(re, NULL, PCRE_INFO_SIZE, &size);
+ 		if (rc < 0)
+-			return -1;
++			goto err;
+ 
+ 		/* write the number of bytes in the pcre data */
+ 		to_write = size;
+ 		len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* write the actual pcre data as a char array */
+ 		len = fwrite(re, 1, to_write, bin_file);
+ 		if (len != to_write)
+-			return -1;
++			goto err;
+ 
+ 		/* determine the size of the pcre study info */
+ 		rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
+ 		if (rc < 0)
+-			return -1;
++			goto err;
+ 
+ 		/* write the number of bytes in the pcre study data */
+ 		to_write = size;
+ 		len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file);
+ 		if (len != 1)
+-			return -1;
++			goto err;
+ 
+ 		/* write the actual pcre study data as a char array */
+ 		len = fwrite(sd->study_data, 1, to_write, bin_file);
+ 		if (len != to_write)
+-			return -1;
++			goto err;
+ 	}
+ 
++	rc = 0;
++out:
+ 	fclose(bin_file);
+-
+-	return 0;
++	return rc;
++err:
++	rc = -1;
++	goto out;
+ }
+ 
+ static int free_specs(struct saved_data *data)
+@@ -317,7 +321,9 @@ int main(int argc, char *argv[])
+ 	const char *path;
+ 	char stack_path[PATH_MAX + 1];
+ 	int rc;
+-
++	char *tmp= NULL;
++	int fd;
++	
+ 	if (argc != 2) {
+ 		fprintf(stderr, "usage: %s input_file\n", argv[0]);
+ 		exit(EXIT_FAILURE);
+@@ -338,13 +344,29 @@ int main(int argc, char *argv[])
+ 	rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path);
+ 	if (rc < 0 || rc >= sizeof(stack_path))
+ 		return rc;
+-	rc = write_binary_file(&data, stack_path);
++
++	if (asprintf(&tmp, "%sXXXXXX", stack_path) < 0)
++		return -1;
++
++	fd  = mkstemp(tmp);
++	if (fd < 0) 
++		goto err;
++
++	rc = write_binary_file(&data, fd);
++
+ 	if (rc < 0)
+-		return rc;
++		goto err;
+ 
++	rename(tmp, stack_path);
+ 	rc = free_specs(&data);
+ 	if (rc < 0)
+-		return rc;
++		goto err;
+ 
+-	return 0;
++	rc = 0;
++out:
++	free(tmp);
++	return rc;
++err:
++	rc = -1;
++	goto out;
+ }

libselinux.spec

@@ -4,23 +4,26 @@
 
 %define ruby_inc %(pkg-config --cflags ruby-1.9)
 %define ruby_sitearch %(ruby -rrbconfig -e "puts RbConfig::CONFIG['vendorarchdir']")
-%define libsepolver 2.1.5-1
+%define libsepolver 2.1.7-4
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 2.1.11
-Release: 6%{?dist}
+Version: 2.1.12
+Release: 7.3%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
+Source1: selinuxconlist.8
+Source2: selinuxdefcon.8
 Url: http://oss.tresys.com/git/selinux.git
 Patch1: libselinux-rhat.patch
-BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig
+Patch2: libselinux-f19.patch
+BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel
 %if 0%{?with_python3}
 BuildRequires: python3-devel
 %endif # if with_python3
-Requires: libsepol >= %{libsepolver}
+Requires: libsepol >= %{libsepolver} pcre
 Conflicts: filesystem < 3
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -99,6 +102,7 @@ needed for developing SELinux applications.
 %prep
 %setup -q
 %patch1 -p2 -b .rhat
+%patch2 -p1 -b .f19
 
 %build
 # To support building the Python wrapper against multiple Python runtimes
@@ -174,6 +178,9 @@ rm -f %{buildroot}%{_sbindir}/getseuser
 rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
 mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
 mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
 
 %clean
 rm -rf %{buildroot}
@@ -187,6 +194,7 @@ rm -rf %{buildroot}
 %{_libdir}/libselinux.so.*
 /var/run/setrans
 %{_sbindir}/matchpathcon
+%{_sbindir}/sefcontext_compile
 /usr/lib/tmpfiles.d/libselinux.conf
 
 %files utils
@@ -235,6 +243,72 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 
 %changelog
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7.3
+- Clean up the setfcontext_compile atomic patch
+- Make sure label_file code always sets errno
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7.2
+- Make setfcontext_compile atomic
+
+* Mon Jan 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7.1
+- Fix memory leak in label_file, which is effecting virt
+- Clean up closeonexec calls
+- Return ENOTSUP rather then EOPNOTSUPP for getfilecon calls
+- Fix potential crash in mappings handling
+
+* Thu Nov 1 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7
+- Apply patch from eparis to fix leaked file descriptor in new labeling code
+
+* Fri Oct 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-6
+- Add new function mode_to_security_class which takes mode instead of a string.
+- Possibly will be used with coreutils.
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-5
+- Add back selinuxconlist and selinuxdefcon man pages
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
+- Fix segfault from calling audit2why.finish() multiple times
+
+* Fri Oct 12 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
+- Fix up selinux man page to reference service man pages
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
+- Rebuild with fixed libsepol
+
+* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
+- Update to upstream 
+	* Add support for lxc_contexts_path
+	* utils: add service to getdefaultcon
+	* libsemanage: do not set soname needlessly
+	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
+	* boolean name equivalency
+	* getsebool: support boolean name substitution
+	* Add man page for new selinux_boolean_sub function.
+	* expose selinux_boolean_sub
+	* matchpathcon: add -m option to force file type check
+	* utils: avcstat: clear sa_mask set
+	* seusers: Check for strchr failure
+	* booleans: initialize pointer to silence coveriety
+	* stop messages when SELinux disabled
+	* label_file: use PCRE instead of glibc regex functions
+	* label_file: remove all typedefs
+	* label_file: move definitions to include file
+	* label_file: do string to mode_t conversion in a helper function
+	* label_file: move error reporting back into caller
+	* label_file: move stem/spec handling to header
+	* label_file: drop useless ncomp field from label_file data
+	* label_file: move spec_hasMetaChars to header
+	* label_file: fix potential read past buffer in spec_hasMetaChars
+	* label_file: move regex sorting to the header
+	* label_file: add accessors for the pcre extra data
+	* label_file: only run regex files one time
+	* label_file: new process_file function
+	* label_file: break up find_stem_from_spec
+	* label_file: struct reorg
+	* label_file: only run array once when sorting
+	* Ensure that we only close the selinux netlink socket once.
+	* improve the file_contexts.5 manual page
+
 * Fri Aug 03 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.11-6
 - rebuild for https://fedoraproject.org/wiki/Features/Python_3.3
 
@@ -342,7 +416,7 @@ rm -rf %{buildroot}
 	* Cleanup Man pages
 	* merge freecon with getcon man page
 
-* Mon Dec 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
+* Mon Dec 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
 - Add patch from Richard Haines
       When selabel_lookup found an invalid context with validation enabled, it
       always stated it was 'file_contexts' whether media, x, db or file.
@@ -499,7 +573,7 @@ context
 	by Dan Walsh.
 	* Update man pages for selinux_color_* functions by Richard Haines.
 
-* Wed Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
+* Wed Apr 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
 - Clean up patch to make handling of constructor  cleanup more portable
   * db_language object class support for selabel_lookup from KaiGai Kohei.
   * Library destructors for thread local storage keys from Eamon Walsh.
@@ -548,10 +622,10 @@ pthread_key_delete, and is ignored.
 - Update to upstream 
 	* Thread local storage fixes from Eamon Walsh.
 
-* Wed Dec 2 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
+* Sat Dec 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
 - Add /etc/tmpfiles.d support for /var/run/setrans
 
-* Sun Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
+* Wed Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
 - Ghost /var/run/setrans
 
 * Wed Sep 29 2010 jkeating - 2.0.96-7
@@ -584,7 +658,7 @@ pthread_key_delete, and is ignored.
 * Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.94-1
 	* Set errno=EINVAL for invalid contexts from Dan Walsh.
 
-* Sun Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
 - Update to upstream 
 	* Show strerror for security_getenforce() by Colin Waters.
 	* Merged selabel database support by KaiGai Kohei.
@@ -1113,23 +1187,23 @@ pthread_key_delete, and is ignored.
 	* Merged patch to drop support for old /etc/sysconfig/selinux and
 	  /etc/security policy file layout from Steve Grubb.
 
-* Tue Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
+* Thu Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
 - Do not fail on permission denied in getsebool
 
 * Tue Feb 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-1
 - Upgrade to upstream
 	* Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb.
 
-* Fri Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
+* Wed Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
 - Upgrade to upstream
 	* Removed sending of setrans init message.
 	* Merged matchpathcon memory leak fix from Steve Grubb.
 
-* Thu Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
+* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
 - Upgrade to upstream
 	* Merged more swig initializers from Dan Walsh.
 
-* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
+* Sun Feb 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
 - Upgrade to upstream
 	* Merged patch from Todd Miller to convert int types over to C99 style.
 
@@ -1149,7 +1223,8 @@ pthread_key_delete, and is ignored.
 * Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.6-1
 - Upgrade to upstream
 	* Merged man page updates to make "apropos selinux" work from Dan Walsh.
-* Wed Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
+
+* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
 - Upgrade to upstream
 	* Merged getdefaultcon utility from Dan Walsh.
 
@@ -1215,7 +1290,7 @@ Resolves: #200110
 * Wed Sep 27 2006 Jeremy Katz <katzj@redhat.com> - 1.30.28-3
 - really make -devel depend on libsepol-devel
 
-* Wed Sep  25 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
+* Wed Sep  27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
 - Add sgrubb patch for polmatch
 
 * Wed Sep  13 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-1
@@ -1382,7 +1457,7 @@ Resolves: #200110
 	  a regular file.
 	* Merged python binding t_output_helper removal patch from Dan Walsh.
 
-* Mon Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
+* Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
 - Fix python bindings for matchpathcon
 - Fix booleans man page
 
@@ -1417,7 +1492,7 @@ Resolves: #200110
 - Upgrade to latest from NSA
 	* Added getseuser test program.
 
-* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
 - Upgrade to latest from NSA
 	* Added format attribute to myprintf in matchpathcon.c and
 	  removed obsoleted rootlen variable in init_selinux_config().
@@ -1623,13 +1698,13 @@ Resolves: #200110
 - Update to latest from NSA
 - Add getseuserbyname
 
-* Fri Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
+* Fri Sep 16 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
 - Fix patch call
 
-* Tue Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
+* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
 - Fix strip_con call
 
-* Tue Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
+* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
 - Go back to original libsetrans code
 
 * Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
@@ -1695,13 +1770,13 @@ Resolves: #200110
 	* Changed security_load_booleans to process booleans.local 
 	  even if booleans file doesn't exist.
 	
-* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
 - Fix avcstat to clear totals
 
-* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
 - Add info to man page
 
-* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
 - Update from NSA
 	* Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
 	* Rewrote get_ordered_context_list and helpers, including
@@ -1816,7 +1891,7 @@ Resolves: #200110
 * Mon Jan 24 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-3
 - rpmexeccon should not fail in permissive mode.
 
-* Fri Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
+* Fri Jan 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
 - fix printf in avcstat
 
 * Thu Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
@@ -1980,7 +2055,7 @@ Resolves: #200110
 - Update from NSA
 - Add optflags
 
-* Fri Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
+* Fri Aug 27 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
 - Update from NSA
 
 * Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
@@ -2022,7 +2097,7 @@ Resolves: #200110
 * Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-2
 - Add man page for boolean functions and SELinux
 
-* Sat Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
+* Sun Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
 - Latest from NSA
 
 * Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
@@ -2048,7 +2123,7 @@ Resolves: #200110
 * Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
 - rebuilt
 
-* Sat Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
+* Sun Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
 - Fix selinux_config to break once it finds SELINUXTYPE.
 
 * Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-1
@@ -2060,7 +2135,7 @@ Resolves: #200110
 * Mon May 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12-2
 - add man patch
 
-* Thu May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
+* Fri May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
 - Update with latest from NSA
 
 * Wed May 5 2004 Dan Walsh <dwalsh@redhat.com> 1.11.4-1
@@ -2152,7 +2227,7 @@ Resolves: #200110
 * Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 1.3-2
 - Fix x86_64 build
 
-* Wed Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
+* Wed Oct 22 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
 - Latest tarball from NSA.
 
 * Tue Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-9
@@ -2176,12 +2251,11 @@ Resolves: #200110
 * Fri Sep  12 2003 Dan Walsh <dwalsh@redhat.com> 1.2-3
 - Update with latest from NSA.
 
-* Fri Aug  28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
+* Thu Aug  28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
 - Fix to build on x86_64
 
 * Thu Aug  21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
 - update for version 1.2
 
-* Wed May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
+* Tue May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
 - Initial version
-

selinuxconlist.8

@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)

selinuxdefcon.8

@@ -0,0 +1,24 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- report default SELinux context for user 
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user fromcon
+
+.SH "DESCRIPTION"
+.B selinuxdefcon
+reports the default context for the specified user from the specified context
+
+.B \-l level
+mcs/mls level
+
+.SH EXAMPLE
+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0
+.br
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)

sources

@@ -1 +1 @@
-34ba81b68ddf832a0a4272fe889050dc  libselinux-2.1.11.tgz
+71a3a6ade9be8b31567fa9437e00698d  libselinux-2.1.12.tgz